The What and How of POPI (The Protection of Personal Information Act)

Whether you are on 1 or 20 email lists, you would have received an email sometime in the last few weeks with the words “POPI” and “compliance” in the subject line…

So, what on earth is “POPI” and why has it invaded our inboxes?

The POPI Act has not just “appeared” out of thin air.  The act itself was promulgated and published in 2013 in the Government Gazette and actually came into effect in April of 2014.  The wheels of society and the implementation of the laws that are made can sometimes turn very slowly.  Now, 7 years down the line, we find ourselves confronted with being compliant.

The fact is that this is one of the “good” laws that have been written into our law.  Every person is protected by this law and should be thankful for it.  The law’s intent is in its name – to ensure that the personal information of the citizens of our country is protected and guarded against abuse and discrimination.

In this age of social media and the information autobahn (a “highway is too slow”), we should be able to have peace of mind that the information we share about ourselves will be handled in a responsible and honorable manner.

Personal information is any and all facts that pertain to a person, from your name and contact details to the more personal and intimate facts like your religion and sexual orientation.

The POPI Act consists of 8 main principles that should help you to understand it better:

1. Accountability

Every organisation (big and small) that collects and keeps a person’s personal information will be held accountable to comply with the bill and to interact with that information in a responsible manner.

2. Processing Limitation

Personal information may only be processed in a fair and lawful manner.

3. Purpose Specification

The gathering of personal information has to be for an express purpose – this must be stated clearly in any documentation as well as understood clearly by the individual who will be sharing that information.

4. Further Processing Limitation

Once an organisation has identified and obtained consent for specific, legitimate and explicitly defined purposes, the processing of such personal information may only occur insofar as it is necessary for the fulfilment of those purposes. Once an organisation has your information, they may only use it for the purpose that they have stated –eg. your hairdresser can’t “sell” your name and number to someone marketing hair care products.

5. Information Quality

The organisation gathering information should ensure that the quality of the information is maintained, i.e. that the information is accurate and up to date.

6. Openness

It is the organisation’s responsibility to process the information gathered in a fair and transparent way.

7. Security Safeguards

It is also the responsibility of the organisation to make sure that all personal information is kept secure against the risk of loss, unauthorised access, interference, modification, destruction or disclosure. This would include simple things like storage in a locked filing cabinet, regularly changing access passwords etc.

8. Data Subject Participation

Any person who has shared his/her personal information has the right to access to that information and/or request the correction or deletion of any personal information held about them that may be inaccurate, misleading or outdated. Eg. you can and should request that your address is updated if you have moved etc.

In summary, we should be grateful that there is legislation that will protect our right to privacy and that will keep organisations accountable to use the personal information they have about us in a lawful manner. We can welcome POPI into out inboxes, she is a friend!